diff --git a/.circleci/config.yml b/.circleci/config.yml
index a75ac7a91..08d55ae0e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -109,12 +109,12 @@ executors:
     environment:
       S2I_VERSION: "1.1.12-2a783420"
       DOCKER_COMPOSE_VERSION: "1.16.1"
-      OPENRESTY_VERSION: "1.19.3.5-20-centos8"
+      OPENRESTY_VERSION: "1.19.3.6-20-centos8"
 
   openresty:
     working_directory: /opt/app-root/apicast
     docker:
-    - image: quay.io/3scale/s2i-openresty-centos7:1.19.3.5-20-centos8
+    - image: quay.io/3scale/s2i-openresty-centos7:1.19.3.6-20-centos8
     - image: redis:3.2.8-alpine
     environment:
       TEST_NGINX_BINARY: openresty
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b310b85f7..6f054165d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Fixed Acess log header [PR #1284](https://github.com/3scale/APIcast/pull/1284) [THREESCALE-6193](https://issues.redhat.com/browse/THREESCALE-6193)
 - Fixed Payload limit jsonschema [PR #1293](https://github.com/3scale/APIcast/pull/1293) [THREESCALE-6965](https://issues.redhat.com/browse/THREESCALE-6965)
 - Fixed Status code overwrite policy jsonschema [PR #1294](https://github.com/3scale/APIcast/pull/1294) [THREESCALE-7238](https://issues.redhat.com/browse/THREESCALE-7238)
+- Fixed TLS host validation [PR #1295](https://github.com/3scale/APIcast/pull/1295) [THREESCALE-768](https://issues.redhat.com/browse/THREESCALE-768)
 
 ### Added
 
diff --git a/t/apicast-policy-upstream_mtls.t b/t/apicast-policy-upstream_mtls.t
index fb321ac7f..b3ede5a36 100644
--- a/t/apicast-policy-upstream_mtls.t
+++ b/t/apicast-policy-upstream_mtls.t
@@ -385,7 +385,7 @@ $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
       "backend_authentication_type": "service_token",
       "backend_authentication_value": "token-value",
       "proxy": {
-        "api_backend": "https://test:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
+        "api_backend": "https://localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
         "proxy_rules": [
           { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
         ],
@@ -456,7 +456,7 @@ $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
       "backend_authentication_type": "service_token",
       "backend_authentication_value": "token-value",
       "proxy": {
-        "api_backend": "https://test:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
+        "api_backend": "https://localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
         "proxy_rules": [
           { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
         ],
@@ -505,7 +505,7 @@ GET /?user_key=value
 routines:tls_process_server_certificate:certificate verify failed
 
 
-=== TEST 7: MTLS policy with correct one correct CA certificate works
+=== TEST 7: MTLS policy with correct CA works as expected
 --- init eval
 $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
 --- user_files fixture=mutual_ssl.pl eval
@@ -526,7 +526,7 @@ $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
       "backend_authentication_type": "service_token",
       "backend_authentication_value": "token-value",
       "proxy": {
-        "api_backend": "https://test:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
+        "api_backend": "https://localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
         "proxy_rules": [
           { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
         ],
@@ -575,3 +575,74 @@ ssl_client_i_dn: CN=localhost,OU=APIcast,O=3scale
 --- error_code: 200
 --- no_error_log
 [error]
+
+
+=== TEST 8: MTLS policy with correct CA certificate, but invalid host
+The upstream host will use `test` instead of localhost, so things are expected
+to fail due to TLS certs are set for localhost
+--- init eval
+$Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
+--- user_files fixture=mutual_ssl.pl eval
+--- backend
+  location /transactions/authrep.xml {
+    content_by_lua_block {
+      local expected = "service_token=token-value&service_id=42&usage%5Bhits%5D=2&user_key=value"
+      require('luassert').same(ngx.decode_args(expected), ngx.req.get_uri_args(0))
+    }
+  }
+--- configuration eval
+<<EOF
+{
+  "services": [
+    {
+      "id": 42,
+      "backend_version":  1,
+      "backend_authentication_type": "service_token",
+      "backend_authentication_value": "token-value",
+      "proxy": {
+        "api_backend": "https://test:$Test::Nginx::Util::ENDPOINT_SSL_PORT/",
+        "proxy_rules": [
+          { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 }
+        ],
+        "policy_chain": [
+          { "name": "apicast.policy.apicast" },
+          {
+            "name": "apicast.policy.upstream_mtls",
+            "configuration": {
+                "certificate": "$ENV{TEST_NGINX_SERVER_ROOT}/html/client.crt",
+                "certificate_type": "path",
+                "certificate_key": "$ENV{TEST_NGINX_SERVER_ROOT}/html/client.key",
+                "certificate_key_type": "path",
+                "ca_certificates": [
+                  "$Test::Nginx::Util::UPSTREAM_INVALID_CA_CERT",
+                  "$Test::Nginx::Util::UPSTREAM_CA_CERT"
+                ],
+                "verify": true
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
+EOF
+--- upstream eval
+<<EOF
+  listen $Test::Nginx::Util::ENDPOINT_SSL_PORT ssl;
+
+  ssl_certificate $ENV{TEST_NGINX_SERVER_ROOT}/html/server.crt;
+  ssl_certificate_key $ENV{TEST_NGINX_SERVER_ROOT}/html/server.key;
+
+  ssl_client_certificate $ENV{TEST_NGINX_SERVER_ROOT}/html/client.crt;
+  ssl_verify_client on;
+
+  location / {
+     echo 'ssl_client_s_dn: \$ssl_client_s_dn';
+     echo 'ssl_client_i_dn: \$ssl_client_i_dn';
+  }
+EOF
+--- request
+GET /?user_key=value
+--- error_code: 502
+--- error_log
+upstream SSL certificate does not match